Daniel Pocock wrote:
I have slapd listening on port 636 only because I want to enforce use of SSL/TLS It all works successfully (I now have my UNIX users, mail, and about a dozen apps authenticating against it), however... I wanted fault tolerance, and I thought that the way to achieve this would be using DNS SRV and replication (which was also easy to get working) What I've observed: - if I create _ldaps._tcp.example.org SRV records, they are ignored - if I create _ldap._tcp.example.org SRV records, and I ldapsearch with a URI of the form "ldaps:///dc%3Dexample%2Cdc%3Dorg" it works So, it seems to be the combination of the ldaps URI prefix with the _ldap._tcp SRV record that is working, this doesn't seem right
1. Why do you mandate the use of SSL/TLS when you then completely trust DNS SRV RRs? IMO this does not make sense.
2. You could configure LDAP(S) URIs of all replicas in your client (space-separated list).
Description: S/MIME Cryptographic Signature